VoIP security threats: Fact or fiction?

Imagine an intruder found his way into your VoIP network undetected and began listening to any conversation he chose, extracting sensitive information, company secrets or even details he could use to blackmail your CEO.

Last month, a company called Internet Security Systems (ISS) issued an alert to warn users that Cisco's VoIP offering had a security flaw that would allow just that. According to the company, this implementation flaw in Cisco's Call Manager, which handles call signaling and routing, could allow a buffer overflow that would grant an intruder access to the system to listen in on all calls routed through it.

This is one scenario described by ISS and other vendors focused on selling technology to plug the security holes in VoIP, a method for sending voice traffic over IP that many say was not designed with security in mind. ISS and its competitors, which come to this new field largely from the VoIP management and IP security markets, forecast big risks for companies that don't take VoIP security seriously, and undoubtedly look forward to formidable revenue streams generated by those that do.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Imagine an intruder found his way into your VoIP network undetected and began listening to any conversation he chose, extracting sensitive information, company secrets or even details he could use to blackmail your CEO.

Last month, a company called Internet Security Systems (ISS) issued an alert to warn users that Cisco's VoIP offering had a security flaw that would allow just that. According to the company, this implementation flaw in Cisco's Call Manager, which handles call signaling and routing, could allow a buffer overflow that would grant an intruder access to the system to listen in on all calls routed through it.

This is one scenario described by ISS and other vendors focused on selling technology to plug the security holes in VoIP, a method for sending voice traffic over IP that many say was not designed with security in mind. ISS and its competitors, which come to this new field largely from the VoIP management and IP security markets, forecast big risks for companies that don't take VoIP security seriously, and undoubtedly look forward to formidable revenue streams generated by those that do.

Growing pains

VoIP "is going to have growing pains when it comes to security," says Neel Mehta, team lead with ISS's X-Force research and development group. "It's still an emerging threat, but one we take very seriously."

This group of vendors, which includes BorderWare, Secure Logix and NFR, urges the use of such security appliances as firewalls that are specifically designed to filter VoIP traffic for suspicious patterns and drop those connections.

Yet it's difficult to find a company that has suffered at the hands of VoIP abusers, be they spammers clogging voice mail boxes with unwanted messages, intruders listening to phone conversations or scammers masking their true identity. So far, the threats appear to be largely hypothetical.

"I don't think there's a whole lot of real threats right now," says Irwin Lazar, senior analyst with Burton Group. "VoIP is still pretty much a closed system; almost no company exposes their VoIP system to the Internet." However, once that changes and companies start publicizing their SIP addresses used in VoIP communications on business cards and Web sites, security will become essential, he says.

For the moment, VoIP security does not appear to be at the forefront of IT managers' minds.

Last year, VoIP management vendor Qovia announced it had filed a patent covering a technique for catching VoIP spam , considered to be one of the more immediate threats to these networks. Qovia planned to release this spam-catching module last year, but hasn't yet done so, because of lack of market interest, says Pierce Reid, Qovia's vice president of marketing.

Hot topics

However, Reid says interest in such products is beginning to pick up, adding that security issues are now hot topics at VoIP events. "Part of what we wanted to do a year ago was helping to raise awareness in time to protect ourselves before we're hit" with VoIP threats, Reid says. The company plans to announce its anti-spam product's availability later this year.